30 Νοε 2011
Η μέθοδος για το jailbreak του KaKaRoToKS παραλίγο να διαρρεύσει.....
29 Νοε 2011
To πρώτο ελληνικό review για το True Blue από το ps3jailbreak-greece.blogspot.com
Το μέλος του blog ο jk έχει στην κατοχή του το πολυπόθητο True Blue και είχε την καλοσύνη να μας γράψει ένα πλήρες review για το πως λειτουργεί και τι προσφέρει.To ps3jailbreak-greece.blogspot.com είναι το πρώτο ελληνικό site που επιχειρεί κάτι τέτοιο και αυτό σίγουρα το οφείλουμε στον jk.Οτιδήποτε απορίες έχετε μπορείτε να τις γράφετε στα σχόλια από κάτω και θ απαντηθούν άμεσα.Σύντομα θ ανέβει και βίντεο αλλά και περισσότερο υλικό για το True Blue.Κατεβάστε τον οδηγό από τα 2 link παρακάτω.Ο πρώτος είναι σε μορφή docx και ο άλλος σε μορφή doc.Κατεβάστε αυτόν που ανοίγει το pc σας
Download Link
28 Νοε 2011
Rebug Update Package 0.3 (3.41.3)/0.5 (3.55.2) and 3.73 Version Spoofer 2.1
Τα update αυτά απευθύνονται κυρίως σε αυτούς που έχουν Rebug custom firmware αλλά το Spoofer μπορεί να το περάσει ο οποιοσδήποτε για να μην αναβαθμιστεί η κονσόλα του καταλάθος στο 3.73 official firmware της Sony.Πέρα από το 3.73 spoof προστίθεται και συμβατότητα με το reActPSN 2.0.Περισσότερες πληροφορίες αλλά και τα αρχεία για download μπορείτε να βρείτε στο επίσημο site της ομάδας Rebug εδώ http://rebug.me/?p=1324 αλλά και
Κυκλοφόρησε το Patch 1.02 για το Uncharted 3
Σήμερα κυκλοφόρησε το νέο patch 1.02 για το Uncharted 3 το οποίο βελτιώνει αρκετά πράγματα στο παιχνίδι όπως το σύστημα στόχευσης αφού προσθέτει μία ακόμη επιλογή στο μενού επιλογών,φέρνει επίσης έναν cutscene viewer αλλά και το motion blur στο single player.Kαλό θα ήταν όσοι τρέχετε το back up του νόμιμα αγορασμένου παιχνιδιού σας να μην το περάσετε γιατί ενδεχομένως δεν θα τρέχει.Καλό λοιπόν θα ήταν να το αποφύγετε
27 Νοε 2011
Με το JFW DH θα έχουμε πρόσβαση στο PSN;;;
O PSJUAN συνεργάτης του DemonHades κυκλοφόρησε 2 νέα βίντεο που δείχνουν ένα νέο plugin για το JFW DH το οποίο δίνει τη δυνατότητα να μπει κάποιος στο Demonisos αλλά και στο official PSN Store!!!Λέτε να έχουμε και πάλι πρόσβαση στο μέλλον στο PSN;;Ο καιρός θα δείξει
Κυκλοφόρησαν τα Cobra USB firmware v4.2 και multiMAN Cobra USB Manager v03.00.00 full
Πριν από λίγο κυκλοφόρησε νέο firmware για το cobra usb το οποίο υποστηρίζει και παιχνίδια με split files ενώ παράλληλα έχουμε και νέα έκδοση Multiman με την ονομασία multiMan Cobra USB Manager.Αν κάποιος έχει το dongle μπορεί να κατεβάσει το update από το link πιο κάτω και όχι δεν παίζει τα καινούργια παιχνίδια.Για περισσότερες πληροφορίες για το Cobra ανατρέξτε σε παλιότερες αναρτήσεις γράφοντας Cobra στην αναζήτηση στο ιστολόγιο
- Full ISO and CUE+BIN support (incl. create ISO from folder)
- Full Cobra support (PSX, PS2, PSP, PS3, ISO, BIN, CUE, BDM, DVD)
- PSP UMD game support when PSP connected in USB+UMD mode
- Support for *.0/.31, *.001/.032, *.66600/.66631 split file formats
- Join split files in file manager (select and copy the first file to get the rest joined)
- Mount ISO files in File Manager (to browse/copy contents)
- New display mode “XBDM” – XBOX Dash Clone
- Support for games with split big files (from external hdd)
- BD/DVD Region options in SETTINGS column
- Support for PS2 game covers (OPL format, i.e. SLES_123.45_COV.JPG) in /covers_retro/psx (over 2000 covers included)
- Integrated Dongle Updater (in mmCM XMMB column)
- Option to turn on blue/green dongle leds or turn them off completely
- Integrated PSX, PS2 and PSP database for names and IDs (over 13000 entries) (for PSX/PS2 discs and PSP ISO/UMD files)
Download Link http://www.cobra-usb.com/download.html
O DemonHades δίνει διευκρινήσεις για το JFW DH
Ο DemonHades απάντησε σε ορισμένες ερωτήσεις όσο αφορά το JFW DH.Καταρχάς να πούμε ότι ακύρωσε την κυκλοφορία του 3.41 JFW DH.Στη συνέχεια δήλωσε πως για να εγκαταστήσει κάποιος το δικό του cfw πρέπει να έχει 3.55 η 3.41.Παράλληλα μπαίνεις σε service mode μ ένα pkg αρχείο αλλά υπάρχει περίπτωση brick.Το JFW DH διαθέτει επιλογές που το Kmeaw δεν έχει όπως το preloader αλλά ΝΑ ΜΗΝ ΤΟ ΕΓΚΑΤΑΣΤΗΣΕΙ ΚΑΝΕΙΣ ΓΙΑΤΙ ΕΙΝΑΙ ΜΕΓΑΛΗ ΜΟΥΦΑ...
25 Νοε 2011
To True Blue αναβαθμίστηκε στην έκδοση 2.3
Το True Blue dongle αναβαθμίστηκε στην έκδοση 2.3 και είναι πλέον συμβατό με ακόμα περισσότερα παιχνίδια όπως θα δείτε και παρακάτω που αναμένεται να κυκλοφορήσουν
Bodycount (BLES01314)
Call of Duty Modern Warfare 3 (BLUS30838)
Dead Island (BLES00749)
Deus Ex Human Revolution (BLUS30476)
Dungeon Siege III (BLES01161)
Ratchet & Clank All 4 One (BCES01141)
Record of Agarest War Zero (BLUS30686)
Call of Duty Modern Warfare 3 (BLUS30838)
Dead Island (BLES00749)
Deus Ex Human Revolution (BLUS30476)
Dungeon Siege III (BLES01161)
Ratchet & Clank All 4 One (BCES01141)
Record of Agarest War Zero (BLUS30686)
Showtime PS3 Media Player Repack v3.3.275
Ο νέος Showtime είναι εδώ αφού κυκλοφόρησε πριν από λίγα λεπτά.H έκδοση 3.3.275 είναι πιο σταθερή από τις προηγούμενες κι έχει μικρές κι όχι τόσο σημαντικές βελτιώσεις.Κατεβάστε την από το link πιο κάτω και κάνετε εγκατάσταση μέσω install package files.
Download Link http://www.mediafire.com/?n6itxbr4ranvy73
24 Νοε 2011
IrisManager για PS3 JFW DH 3.56 Custom Firmware
Download Link http://www.multiupload.com/REJASXTRMR
22 Νοε 2011
Το The House Of Dead Overkill Extended Cut τρέχει σε 3.55 custom firmware
Διαγράψτε το update μέσα από το back up σας και κάνετε αντικατάσταση τα αρχεία του fix με τα αρχεία του παιχνιδιού μας
Download Link http://www.multiupload.com/R4CVCSPJJC
21 Νοε 2011
UPDATED O ΚakaroToks ετοιμάζει software jailbreak στην 3.73
Ο ΚakaroToks ετοιμάζει software jailbreak στην 3.73 σύμφωνα με τον λογαριασμό του στο Twitter.O ίδιος δήλωσε πως δεν είναι cfw και δεν θα τρέχουν back up manager αλλά αναβάθμισε το PS3 του σε 3.73 και το έκανε jailbreak.Πως και τι δεν ξέρουμε ακόμη και μέχρι να το ολοκληρώσει δεν θα δώσει τίποτα στη δημοσιότητα για να μην μπλοκαριστεί.Μια ομορφιά είναι στη φώτο χαχαχαχαχαχ
UPDATE
Ο KakaroToks μέσω πάλι του Twitter δήλωσε πως ναι η νέα αυτή μέθοδος που ετοιμάζει θα παίζει τα νέα games,δεν θα λειτουργούν οι manager τύπου Multiman,θα λειτουργεί κανονικά ο Showtime και δεν θα μπορείς να κάνεις downgrade
PS3 Media Server 1.50.0
Download Link
20 Νοε 2011
To αυθεντικό Assassins Creed κυκλοφόρησε σαν PSN game
Πριν από λίγα λεπτά ανέβηκε το αυθεντικό Assassins Creed ως PSN game στα γνωστά..μαγαζιά κι εσείς μπορείτε πλέον να το απολαύσετε απλά κι εύκολα σε 3.55 custom firmware χωρίς κάποιο fix.Πολλοί είχαν πρόβλημα με τη συγκεκριμένη έκδοση που είχε κυκλοφορήσει παλιότερα όμως τώρα παίζει άψογα κι είναι μια καλή ευκαιρία να το δοκιμάσετε.Κάνετε εγκατάσταση τα 2 install pkg αρχεία
PS3 PKGView v1.1 Extractor
Με το PS3 PKGView V 1.0 Extractor έχετε τη δυνατότητα να εξάγετε στοιχεία από ένα pkg αρχείο και να δείτε τι περιλαμβάνει μέσα.Είναι 100% νόμιμο αφού δεν περιέχει κάποιο κώδικα της Sony.Μπορείτε να το κατεβάσετε από το link παρακάτω- FIX: Empty folders not appear.
- Added support for retail pkg (thanks to the implementation of Mathieulh).
- Now accepts pkg passed as parameter.
- Added support for drag-Pkg to the application.
- Added option to extract the source folder
- Added extension association .Pkg
- Added option Extract here in the context menu of Windows.
- FIX: PARAM.SFO not appear.
Download Link http://www.mediafire.com/?a22x23p632m1x8g
19 Νοε 2011
Showtime PS3 Media Player Repack v3.3.247
Η νέα έκδοση του πολύ καλού multimedia manager του Showtime μόλις κυκλοφόρησε κι εσείς μπορείτε να την κατεβάσετε από το link παρακάτω.Η έκδοση 3.3.247 φέρνει μικρές αλλαγές και προσφέρει μεγαλύτερη σταθερότητα.Την κάνετε εγκατάσταση μέσω install package files όπως πάντα
Download Link http://www.mediafire.com/?mal6tensgq4cb38
18 Νοε 2011
Διαβάστε το και διαγράψτε τα αρχεία
SOS!Τα αρχεία που κατεβάσατε όσοι το κάνατε (συμπεριλαμβανομένου κι εμού)διαγράψτε τα άμεσα από το PC σας.Μην τα τρέξετε μην τ ανοίξετε.Αναφέρομαι στα 2 αρχεία που ανέβηκαν σε όλα τα ξένα site και στο δικό μας και μετά από λίγο η είδηση διαγράφηκε.Επίσης οι developers που έχουν ξεκινήσει να ...ψαχουλεύουν το True Blue είπαν πως δεν χρειάζεται να το αγοράσετε η να αγοράσετε κανένα άλλο στικάκι τέτοιου είδους γιατί είναι απαρχαιωμένα και να κάνουμε λιγάκι υπομονή
17 Νοε 2011
Rebug 3.55.2 για το Τrue Βlue dongle
FEATURES INCLUDED/ADDED/UPDATED
INCLUDED - All REBUG 3.55.2 Features
INCLUDED - True Blue CFW COREOS
(Requires True Blue Dongle to run True Blue patched 3.60+ Games)
ADDED - reActPSN 2.0 compatibility
(Credit to Hotz8611)
ADDED - No act.dat deletion on reboot
(This is our own. We feel it is a little bit cleaner than the original reActPSN 2.0 patch)
UPDATED - 3.73 Version Spoof files
UPDATED - Rebug Selector 1.5.1 & 1.6.1
(Finally got around to fixing the display resolution on HD tv's)
INCLUDED - All REBUG 3.55.2 Features
INCLUDED - True Blue CFW COREOS
(Requires True Blue Dongle to run True Blue patched 3.60+ Games)
ADDED - reActPSN 2.0 compatibility
(Credit to Hotz8611)
ADDED - No act.dat deletion on reboot
(This is our own. We feel it is a little bit cleaner than the original reActPSN 2.0 patch)
UPDATED - 3.73 Version Spoof files
UPDATED - Rebug Selector 1.5.1 & 1.6.1
(Finally got around to fixing the display resolution on HD tv's)
Άρχισε η αποκρυπτογράφηση του True Blue
Πριν από λίγα λεπτά developers από πολύ γνωστό ξένο site που ξεκίνησαν να μελετούν το True Blue payload 2.2 ανακοίνωσαν πως το Dongle δεν χρησιμοποιεί τελικά Debug Eboot για να τρέξει τα παιχνίδια κι αυτό είναι πολύ καλό γιατί η Sony θα μπορούσε πολύ απλά κι εύκολα να το σταματήσει.Όμως με το που κυκλοφόρησε το πρώτο παιχνίδι για το TB (το Dirt 3)είδαν πως δεν χρησιμοποιεί τελικά dev eboot οπότε άρχισαν να το ψάχνουν περισσότερο και για αρχή κατέληξαν στο συμπέρασμα πως το ΤΒ φορτώνει masterdiscs με fself.Ελπίζουμε να έχουμε περισσότερα νέα τις επόμενες ημέρες
Νέες PSN κυκλοφορίες από την Duplex
Το Driver San Francisco τρέχει σε 3.55 custom firmware!!!
16 Νοε 2011
UPDATED 2.H ομάδα PARADOX κυκλοφόρησε τα πρώτα παιχνίδια συμβατά με το True Blue
Η ομάδα Paradox κυκλοφόρησε τα πρώτα 2 παιχνίδια τα οποία είναι απόλυτα συμβατά με το True Blue κι απ ότι φαίνεται υπάρχει ενδεχόμενο το dongle να μη χρησιμοποιεί απλώς debug eboot πράγμα που το καθιστά όχι και τόσο άχρηστο όσο νομίζαμε στην αρχή.Για να δούμε έρχονται εξελίξεις στην PS3 σκηνή;Οι εκδόσεις των παιχνιδιών που έδωσαν στη δημοσιότητα οι Paradox είναι οι παρακάτω.ΟΧΙ ΑΥΤΑ ΤΑ 2 GAMES ΔΕΝ ΠΑΙΖΟΥΝ ΧΩΡΙΣ ΤΟ True Blue
UPDATED Προστέθηκε και το Rage στα 2 υπάρχοντα παιχνίδια
UPDATED 2 Προστέθηκε και το Dead Island
Dirt_3_WORKING_TB_READNFO_PS3-PARADOX
Portal_2_WORKING_TB_READ_NFO_PS3-PARADOX
Dirt_3_WORKING_TB_READNFO_PS3-PARADOX
OpenPS3FTPsplit
multiMAN directories: /Dev_usbxxx/
/Dev_hdd0/SPLIT/multiman
Download Link http://www.mediafire.com/?p4u1xce89andwyw
15 Νοε 2011
To Τrue Blue αναβαθμίστηκε και υποστηρίζει 3.6+ games από σκληρό δίσκο
Το Dongle True Blue αναβαθμίστηκε στην έκδοση 2.2 και πλέον υποστηρίζει 3.6+ games τα οποία μπορείτε να τα κάνετε back up στο σκληρό σας δίσκο(πάντα για τα νόμιμα αγορασμένα παιχνίδια σας).Τα αρχεία παρακάτω σας τα δίνω απλά να τα έχετε στη συλλογή σας για να τα χρησιμοποιήσετε χρειάζεται το True Blue
Χαρακτηριστικά
* Runs your existing games and new v3.6+ games from HDD in conjunction with standard backup managers
* Does not require the power/eject trick
* Custom v3.55 Dongle firmware behaves like OFW when True Blue is not inserted
* Manufactured from highest grade components and Actel based
* Durable and high quality metal case design
* Tough and durable plastic packaging
* Further features to be added as they are developed
* On board 2 MBytes SPI flash
* Supports Fat and Slim PS3 consoles currently running any firmware up to v3.55 and any PS3 which can be downgraded successfully from v3.6+ to v3.55 (NOTE: requires other tools, True Blue cannot downgrade a console)
* Supports all regions of consoles
* Supports all regions of v3.6+ games
* Rock solid crystal oscillator on board for flawless timing
Nέα PSN games μόλις κυκλοφόρησαν
Πριν λίγα λεπτά κυκλοφόρησαν καινούργια PSN games!Megaman 9,Hamster Ball,Go Sports Skydiving,Q Bert και το εκπληκτικό Vandal Hearts Flames Of Judgment!Φυσικά link δεν πρόκειται να ανεβάσω γιατί το ps3jailbreak-greece.blogspot.com δεν υποστηρίζει τη πειρατεία
14 Νοε 2011
Το JFW DH custom firmware μόλις κυκλοφόρησε!
O DemonHades τελικά αποφάσισε να κυκλοφορήσει το...πολυαναμενόμενο JFW DH 3.56 custom firmware και μπορείτε να το κατεβάσετε από το link πιο κάτω.Εγώ δεν θα το εγκαταστήσω αν και το περίμενα πως και πώς αφού είχαμε μεγάλες προσδοκίες για τη συγκεκριμένη έκδοση αλλά με όλα αυτά που έγιναν τους τελευταίους μήνες ε όσο να πεις ξενερώσαμε λιγάκι.Μην κάνει κανείς καμία κίνηση να το βάλει περιμένουμε να δούμε τι θα γίνει.Δεν προσφέρει τίποτα παραπάνω απ ότι το Kmeaw.Οι πληροφορίες έρχονται η μία μετά την άλλη.- Support PEEK / POKE lv2, using the typical SYSCALL 6 and 7 for compatibility with existing homebrew.
- Support PEEK / POKE lv1 native SYSCALL using 10 and 11 respectively. These are used as SYSCALL than the lv2, the devs just have to use them as you would those of lv1 lv2 but affecting.
- Load unsigned applications, FSELF format natively. That is, a normal application or npdrm FSELF valid format worked directly. (No touch-memory copy in the lv2).
- Load logically signed applications, both official and unofficial signature valid.
- Support for applications up to version 3.56.
- Use of all SYSCALL system, provided that the product no later verify mode, QA, etc.
- No need to modify the PARAM.SFO in the event that hypothetically would use a application that requests a version higher than 3.56 in either npdrm / normal application / or application running from the bdemu.
- Installation of Retail and Debug PKG since the PKG Install option.
- System settings in the XMB QA hacked. Now you can open the options using the normal combo without QA flag is active or a valid token or existing on your machine. Any options changed is maintained in the system registry settings. This QA system hack allows any SPRX to call the XMB to check this information hacked receive information, such as the nas_plugin.sprx, which in the case of DEX would permit installed without any patch of PKG Retail. As always be careful you do with those options, this is the safest way to have the QA without be QA, and not have to modify the EEPROM in any recalculated appearance or tokens of any kind. Here I have to thank Sony for making the security of your token only be in one byte and not in those should be.
- FIX: Patch to allow loading of applications for (avoids errors 0x80010009)
- FIX: Patch to avoid checking the firmware version of the application against the version of firmware stored in the memory of lv2 (avoid the error 0x80010019)
- FIX: Patch to avoid the error 0x8001003C (allows loading of applications that request more internally than the current version)
- FIX: Patch to avoid the error 0x8001003D
- FIX: Patch to avoid the error 0x8001003E (using hdd patch and have no disc inserted)
- FIX: Enables the use of all SYSCALL, avoiding generic error 0x80010003.
- FIX: Patching a new security check that prevents updater mode, it could launch an application unsigned with the minimum key 0xD (3.56), avoiding the error 0x80010009. NOTE: See NOTE AT THE END OF THIS README
- FIX: otherwise is used to integrate the new SYSCALL 6, 7, 10, 11 at lv2.
- Added support for PEEK / POKE NATIVE at lv1. The method used to integrate these new hypercalls not use hypercall existing one, but really any hypercall not used in the system is a peek or poke depending on the case. To interact with PEEK / POKE, lv2 use SYSCALL of 10 and 11 respectively.
- Changes in the hypercall mmap (114). In the 3.56 Sony made significant changes in this hypercall to avoid the use that was being given to the lv1 to lv2 mapping. Now this hypercall checks that the key argument has not been modified, are checked mapping ranges (Someone who understands this will realize how dangerous it is that you map the critical thing, and do not speak of lv1) the hypercall code is divided into sub-functions into chunks for rolling the analysis. 3.56 In this version of this hypercall MA has not been touched, but having the support of PEEK / POKE in lv1 mapping is no longer necessary. In a later version is not ruled out such a check hypercall it's not complicated really, just it was not necessary for this version.
- Changes in the hypercall unmap (115), similar to mmap, its code shared between subfunctions.
- FIX: Added some patches to avoid integrity checks lv1 / LV0. FIX: Added patches in the SPM and the DM to enable the use of any service. The patch is different, smaller, the SS patch exists (this is no longer compatible with 3.56), in my testings my patch does not produce any kind of problem with trophies, or saved games, etc..
- TODO: Delete the problem of not being able to downgrade to a version lower than 3.56. Currently not possible down from 3.56 after upgrading to the.
- FIX: Patch to override the check ECDSA digital signature. Now an application with an invalid signature signed will be considered valid. For example, "sign" an application without having the proper private key to generate a proper signature.
- FIX: Patch that removes the hash check of the application segments. A hash will be considered invalid valid.
- FIX: Patch to override that you can not use FSELF retail consoles. This patch is different from that in ps3devwiki, the patch is on that page about this subject brickea machines has a problem metadata to decrypt the encrypted executables retail.
- FIX: Patch to override the protection added in 3.55 (in the case of applications npdrm / normal, previously only was in charge of the RVK) which prevents applications can be used above the indicated version in the firmware today. That is, in a hypothetical case, a game trying to throw in a 3.60 3.56.
- FIX: Patch to override the protection auth check the applications (added in 3.56), this check detects programs created public tools as they always put the same auth, auth superior one.
- FIX: Patch to remove the protection from the white list of authorized programs, added in 3.56. Now you can use all applications as 3.55 and below.
- The lv2 is protected by a hash in lv1, in case you want to play an offset that encompassed in the range of protection, this would produce a panic check off the system. To avoid this problem, use the tool that is attached to this package before using poke modify lv2. Why not to implement this patch directly is because not everyone is dev, and that can not be touched lv2 is safe for the user. Of course the source code of this program is included, so a dev can see how using the POKE lv1 patched the problem.
- You can now exit of service mode, and use the lv2diag as before, but this has a potential danger. The 3.56 now makes it impossible to make a downgrade to less than 3.56, meaning that if you are in the 3.56 in him are, if you have time you tried to cancel out a version that checks the update manager. The problem is a programming error that allows updating Lv2Diag.self, the failure is that No checks that the update is in the usb or to verify that this is valid, the program formats the flash 1.2 and 3. That is, if then fails, your system would not have died partially flashes, still work ROS can use a lv2diag active again, but who Forewarned is forearmed. Lv2diag Beware!
- Attached to this package is an updated application to extract the nodes of a dump of lv1 is an update of the application made by Graf Chokolo, now has support for versions 3.15, 3.41, 3.55 and 3.56 in one program. Useful to display the nodes extracted from your dump.
- The firmware finished graphic will be added when finished JFW 3.41 itself. In the package adds an application, I do not think there publicly, to put the product model directly from the XMB, acts as a toggle, in the event that you can use the product as simply So I removed the product.
- As a final note to remember that this is the first version of the firmware, so constructive criticism are welcome. As I suppose that due to this publication where patches are appldr, many variants will come out of it, just remember that the first publication was this.
- Do not bite the hand that feeds you, today is a 3.56 higher perhaps tomorrow another, or maybe not.
Download Link
Mathieulh decrypts LV0 στο FW 3.73
Ότι και να πούμε πραγματικά ο Mathieulh είναι πολυ μπροστά στο θέμα του PS3.Πριν από λίγα λεπτά ανέβασε μία φώτο στο Twitter του που αποδεικνύει πως έκανε decrypt το LV0 στο 3.73 official firmware της Sony!Με απλά λόγια αυτό σημαίνει Custom Firmware στο τελευταίο firmware όμως όπως και τις άλλες φορές γράφει παρακάτω από τη φώτο του πως ΔΕΝ ΠΡΟΚΕΙΤΑΙ ΝΑ ΔΗΜΟΣΙΕΥΣΕΙ ΤΙΠΟΤΑ!
By the way, I won’t be posting keys, I won’t be posting dumps and I won’t be saying how it was done, time to work gentlemen.
12 Νοε 2011
Αποκαλύφθηκε το payload του True Blue
Download Link http://www.multiupload.com/PFC3IZZNNN
11 Νοε 2011
Showtime Plugin: Youtube v1.2
Το κάνετε εγκατάσταση στη διαδρομή παρακάτω
USRDIR/settings/installedplugins/ φάκελος στο Showtime
Download Link http://www.mediafire.com/?xo8894wg6t6ff5q
10 Νοε 2011
Playstation VISA Card!
Η Sony αποφάσισε να κυκλοφορήσει την Playstation Card!Η συγκεκριμένη κάρτα είναι πιστωτική (VISA) και μπορεί να τη χρησιμοποιήσει κάποιος σαν οποιαδήποτε άλλη πιστωτική κάρτα ενώ παράλληλα δίνει τη δυνατότητα στον κάτοχο της να κερδίσει πόντους και να τους εξαργυρώσει στο PSN.Δείτε περισσότερες πληροφορίες στο link παρακάτω
Showtime Repack v3.3.209 - Unofficial
Download Link http://redsquirrel87.com/ShowtimeUnofficial.html
8 Νοε 2011
UPDATE 2 Διέρρευσε το PS3 'Metldr' Exploit
Η όλη έρευνα ήταν του Mathieulh που σίγουρα εκνευρίστηκε γιατί κάποιος άλλος έδωσε στη δημοσιότητα του Metldr exploit καθώς ήταν προϊόν δικής του δουλειάς και μετά από αυτό εγκαταλείπει για πάντα την PS3 σκηνή.Όλη του η δήλωση παρακάτω
Because some ungrateful person leaked my metldr exploit files I will now be explaining how it actually works, see this as my ultimate release of all times for an ungrateful scene (and scenes in the future)
That's about how I am pissed right now, because of course the person that leaked these files has no idea of how they actually work.
How to pwn metldr the "easy" way:
This is most likely how geohot exploited it in the first way, this takes (give or take) about 10 minutes to be performed. (yeah, not so much of a "I hacked the ps3 all on my own work, especially not when it partially relies on Segher's work, one of the reason geohot never shared the way he exploited metldr to anyone)
I will assume here, that you do not have the loader keys that were made readily available by geohot. This little tutorial also assumes that you have a working .self generating tool
Now You want to gain code execution to metldr, you know that metldr loads loaders to its own space, but you cannot run a loader because the loader needs to be signed and even though you know about the sign fail that Segher introduced at the CCC, you cannot use it because you don't have decrypted signatures to calculate a private key and to get signatures you need keys which you are currently trying to dump, so far you are stuck in a chicken and egg scenario.
The question is, do you really need keys to get a decrypted signature ?
Well the real answer is no, thanks to a nifty fail that sony left in in metldr (and the bootloader), you can have the ldr to decrypt the metadata for you, isn't that neat ?
Here's how it works:
STEP I)
In a self file, at address 0x0C a value is used to calculate where the metadata is going to be decrypted, the "offset" is at self header + 0x0C
its the "meta header offset" in the SCE structure, it takes the SCE offset + that value, so what you have to do is to have a calculation that is equal to 0x3E01F0 which happens to be where metldr copies over the shared metadata from the mailbox (which is sent over by the ppu), the trick is to have metldr to decrypt the metadata located at.
So basically you have to
1) set the offset += 0x2000
dump shared lsa
and keep increasing 0x2000
until somewhere in the shared lsa changes 0x40 byte
2) when it changes 0x40 bytes, you can add/subtract the proper amount to make it decrypt the proper locations
3) then dump shared lsa and we have decrypted header
knowing that metldr uses SCE header 0xECF0, you could calculate it knowing the address 0x3E01F0 - 0xECF0 = the value you would patch at SCE header + 0x0C
ROM:0000F6C0 D2 68 87 E6 metadata_erk: .int 0xD26887E6 ; DATA XREF: ROM:0000F178o
for example in CECHA , the address you want to decrypt it to is 0x3E1F0
so it should be 0x3E1F0 - 0xF6C0
Once you get the decrypted header, you have the key to decrypt the rest of the metadata. Here you go, you have your decrypted signature.
So far so good, now what's next ?
STEP II)
Contrary to popular beliefs, you do not need to know the public key to calculate the private key, you just need two decrypted signature, you now know how to dump these, so let's assume you just did, now all you have to do is to bruteforce the curve type by constantly reloading a self to metldr, the curve type being only 1 byte, that would be 64 possibilities.
CONGRATULATION, you just signed a loader !
Now what ?
Well Your first reflex would be to sign a loader and use it to dump whatever is in your Isolated Local Store, the first thing you will notice is that you have a bit of metldr's code as a leftover, after a few seconds of disassembly you will figure it's actually some piece of code that clears metldr's code and registers and jumps to some address which is matches your signed loader's entrypoint.
This seems like a more than likely candidate to exploit, as in your goal would be to overwrite that piece of code with your own, that way you would have the whole metldr code right before the point where everything gets cleared out.
Let's try to do just that, from your previous dump, you obviously know that the clear code is located from 0x400 to 0x630, (0x410 being where metldr jumps when it clears) your first attempt would naturally be to have a loader section to load at 0x400, well not so surprisingly, it fails, because you are not without a brain (at least you aren't supposed to be if you're reading and understanding this), you will assume that it is likely that metldr checks if you aren't loading your loader/self section below a certain address, which considering you know the loaders' entrypoint is most likely to be 0x12C00, this assumption is in fact correct as metldr will make sure you cannot load any loader at 0x12BFF and below, seems like a huge let down...
Well, maybe not, because yet again, you are not without a brain, you check out the hardware properties for the Local Store, and you find out that the memory wraps around (memory is a donut as someone once said at some ccc conference).
So what happens when you load your loader at let's say from 0x3F000 to 0x40000+some address? (like 0x40410 for example) ?
Well, it WORKS!
You could put the section at 0x3F000, if you made the length 0x1414 and the last instruction branches "up" to the dump code
ROM:000008AC 33 7F 6C 80 brsl lr, cleanup_and_jump_entry
ROM:000008B0 32 00 11 80 br loc_93C
ROM:00000410 cleanup_and_jump_entry: ; CODE XREF: main+4Cp
ROM:00000410 32 7F FF 80 br sub_40C
this is what the exploit that got leaked (yeah that's not really their work eh but you figured that much by now did you not? ) does.
It overwrites from 0x000 to 0x480 because I originally loaded the section o size 0x880 to 0x3FC00
So now you get code execution on metldr at the best time possible because your code executes right after metldr copies the root keys from 0x00 to 0x30, which means you get to dump these too. (Although they are hardcoded in metldr's code anyway)
Here you go, you have a metldr dump !
Now as a final line, I'd like to say screw leakers, screw the scene, and this is my last contribution to it EVER. It seems I can't even trust fellow developers to keep my work safe and not leaking it. (Not like any of them would have been able to tell you how all this even works in the first place)
So long, everyone.
Remember, don't ever bite the hands that feed you.
P.S. Oh! and btw, if you talented enough to make hardware to dump the shared lsa, you can decrypt any lv0 using this technique.
That's about how I am pissed right now, because of course the person that leaked these files has no idea of how they actually work.
How to pwn metldr the "easy" way:
This is most likely how geohot exploited it in the first way, this takes (give or take) about 10 minutes to be performed. (yeah, not so much of a "I hacked the ps3 all on my own work, especially not when it partially relies on Segher's work, one of the reason geohot never shared the way he exploited metldr to anyone)
I will assume here, that you do not have the loader keys that were made readily available by geohot. This little tutorial also assumes that you have a working .self generating tool
Now You want to gain code execution to metldr, you know that metldr loads loaders to its own space, but you cannot run a loader because the loader needs to be signed and even though you know about the sign fail that Segher introduced at the CCC, you cannot use it because you don't have decrypted signatures to calculate a private key and to get signatures you need keys which you are currently trying to dump, so far you are stuck in a chicken and egg scenario.
The question is, do you really need keys to get a decrypted signature ?
Well the real answer is no, thanks to a nifty fail that sony left in in metldr (and the bootloader), you can have the ldr to decrypt the metadata for you, isn't that neat ?
Here's how it works:
STEP I)
In a self file, at address 0x0C a value is used to calculate where the metadata is going to be decrypted, the "offset" is at self header + 0x0C
its the "meta header offset" in the SCE structure, it takes the SCE offset + that value, so what you have to do is to have a calculation that is equal to 0x3E01F0 which happens to be where metldr copies over the shared metadata from the mailbox (which is sent over by the ppu), the trick is to have metldr to decrypt the metadata located at.
So basically you have to
1) set the offset += 0x2000
dump shared lsa
and keep increasing 0x2000
until somewhere in the shared lsa changes 0x40 byte
2) when it changes 0x40 bytes, you can add/subtract the proper amount to make it decrypt the proper locations
3) then dump shared lsa and we have decrypted header
knowing that metldr uses SCE header 0xECF0, you could calculate it knowing the address 0x3E01F0 - 0xECF0 = the value you would patch at SCE header + 0x0C
ROM:0000F6C0 D2 68 87 E6 metadata_erk: .int 0xD26887E6 ; DATA XREF: ROM:0000F178o
for example in CECHA , the address you want to decrypt it to is 0x3E1F0
so it should be 0x3E1F0 - 0xF6C0
Once you get the decrypted header, you have the key to decrypt the rest of the metadata. Here you go, you have your decrypted signature.
So far so good, now what's next ?
STEP II)
Contrary to popular beliefs, you do not need to know the public key to calculate the private key, you just need two decrypted signature, you now know how to dump these, so let's assume you just did, now all you have to do is to bruteforce the curve type by constantly reloading a self to metldr, the curve type being only 1 byte, that would be 64 possibilities.
CONGRATULATION, you just signed a loader !
Now what ?
Well Your first reflex would be to sign a loader and use it to dump whatever is in your Isolated Local Store, the first thing you will notice is that you have a bit of metldr's code as a leftover, after a few seconds of disassembly you will figure it's actually some piece of code that clears metldr's code and registers and jumps to some address which is matches your signed loader's entrypoint.
This seems like a more than likely candidate to exploit, as in your goal would be to overwrite that piece of code with your own, that way you would have the whole metldr code right before the point where everything gets cleared out.
Let's try to do just that, from your previous dump, you obviously know that the clear code is located from 0x400 to 0x630, (0x410 being where metldr jumps when it clears) your first attempt would naturally be to have a loader section to load at 0x400, well not so surprisingly, it fails, because you are not without a brain (at least you aren't supposed to be if you're reading and understanding this), you will assume that it is likely that metldr checks if you aren't loading your loader/self section below a certain address, which considering you know the loaders' entrypoint is most likely to be 0x12C00, this assumption is in fact correct as metldr will make sure you cannot load any loader at 0x12BFF and below, seems like a huge let down...
Well, maybe not, because yet again, you are not without a brain, you check out the hardware properties for the Local Store, and you find out that the memory wraps around (memory is a donut as someone once said at some ccc conference).
So what happens when you load your loader at let's say from 0x3F000 to 0x40000+some address? (like 0x40410 for example) ?
Well, it WORKS!
You could put the section at 0x3F000, if you made the length 0x1414 and the last instruction branches "up" to the dump code
ROM:000008AC 33 7F 6C 80 brsl lr, cleanup_and_jump_entry
ROM:000008B0 32 00 11 80 br loc_93C
ROM:00000410 cleanup_and_jump_entry: ; CODE XREF: main+4Cp
ROM:00000410 32 7F FF 80 br sub_40C
this is what the exploit that got leaked (yeah that's not really their work eh but you figured that much by now did you not? ) does.
It overwrites from 0x000 to 0x480 because I originally loaded the section o size 0x880 to 0x3FC00
So now you get code execution on metldr at the best time possible because your code executes right after metldr copies the root keys from 0x00 to 0x30, which means you get to dump these too. (Although they are hardcoded in metldr's code anyway)
Here you go, you have a metldr dump !
Now as a final line, I'd like to say screw leakers, screw the scene, and this is my last contribution to it EVER. It seems I can't even trust fellow developers to keep my work safe and not leaking it. (Not like any of them would have been able to tell you how all this even works in the first place)
So long, everyone.
Remember, don't ever bite the hands that feed you.
P.S. Oh! and btw, if you talented enough to make hardware to dump the shared lsa, you can decrypt any lv0 using this technique.
UPDATE 2
O Linuxx το δοκίμασε πειραματίστηκε μαζί του και αποφάνθηκε πως είναι αυθεντικό το όλο θέμα και είπε πως μπορούμε να πειραματιστούμε άφοβα μαζί του (όχι οι απλοί χρήστες).Παράλληλα ανέβασε το πώς θα πρέπει να δείχνει ένα σωστό dump εδώ
Εγγραφή σε:
Αναρτήσεις (Atom)